Pulse Detail — Threat Intelligence

PULSE NAME

UAC0184 Steganography Based Remcos Campaign

WHITE cryptocti 2026-05-22 Modified: 2026-05-22

IOCs

MEDIUM VOLUME

UAC0184 runs a multi-stage phishing campaign using fake documents and shortcut files to trick users into execution. The attack abuses legitimate Windows tools like BITSAdmin and PowerShell to download and run malicious content. It uses steganography to hide malware inside image files, which is then extracted by a loader.

Indicators of Compromise (12)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	b0405f718860843883813541a5d886c3	MD5 of df6942dc1a89226359adf1aac597c3b270f4a408214b4f7c2083f9524605e0f7	2026-05-22
FileHash-SHA1	901d1dbb7a41569d2c5093f41a8194818aba695f	SHA1 of df6942dc1a89226359adf1aac597c3b270f4a408214b4f7c2083f9524605e0f7	2026-05-22
FileHash-SHA256	df6942dc1a89226359adf1aac597c3b270f4a408214b4f7c2083f9524605e0f7	—	2026-05-22
FileHash-SHA256	eee6b8f69bd3e65fa29142e7965b7a0d8bdec03d36e7c67266746ae54ebb493a	—	2026-05-22
FileHash-SHA256	f81e8b6ca1e0c4ee7ca8668df4b3792ccb1608eed8bbf94a2247d869264540f2	—	2026-05-22
IPv4	169.40.135.35	CC=US ASN=ASNone	2026-05-22
URL	http://169.40.135.35/dctrpr/agentdiesel.hta	—	2026-05-22
URL	http://169.40.135.35/dctrpr/basketpast.hta	—	2026-05-22
URL	http://169.40.135.35/dctrpr/slippersuppity.hta	—	2026-05-22
URL	http://169.40.135.35/dctrprraclus.zip	—	2026-05-22
URL	https://fus.rngupdatem.buzz	—	2026-05-22
hostname	fus.rngupdatem.buzz	—	2026-05-22